States continue to pass legislation addressing the protection and breach of private information and, on July 25, 2019, New York joined the growing trend when Governor Andrew Cuomo signed the Stop Hacks and Improve Electronic Data Security Act (or “SHIELD Act”) into law.  The SHIELD Act significantly amends New York’s data protection and data breach notification laws – expanding their reach beyond businesses operating in New York and imposing new requirements on persons and businesses in possession of New York residents’ private information.

Effective March 2020, the proactive portion of the SHIELD Act will:

  • Apply to any business that has personal information (“PI”) regarding any New York resident
  • Require those businesses to adopt proactive measures to safeguard that PI
  • Require businesses to vet vendors entrusted with or with access to that PI

The amendments to the current New York breach notification law, effective on October 23, 2019, “redefine a “breach” to include the “mere” unauthorized access to PI (expand the law beyond the actual acquisition of such PI without authorization).

While the amendment to the breach notification requirements may not greatly impact businesses’ current practices, the proactive requirements will be felt by any business that is not already taking “reasonable” measures to safeguard PI in their control.  And if you are a vendor to any of these businesses, and you are not prepared to adopt the requisite proactive measures to protect PI entrusted to you, then you may lose that business. Continue Reading The Long Reach of New York’s SHIELD Act

After 9/11, many companies restricted corporate travel and began embracing online conferencing resources – whether by telephone, video or otherwise.

Now, Webex, Zoom and other similar services are bringing people into the same (virtual) room to facilitate collaboration and negotiation without leaving the comfort of their office or home.

These tools are time saving and effective – but they must be used with privacy and security in mind.

A few thoughts worth considering:

  • When selecting a provider, make sure that the provider offers security controls and password protection – and then use those protections before launching the application
  • When sending a calendar invite to attendees, do NOT include the leader pin!  Doing so would allow others to use your service
  • If you are recording your session, consider whether other attendees would be offended if they did not know they were being recorded
  • If you are sharing your screen, be VERY mindful of what else may “pop up” on that screen – outside attendees should not be able to view ANY other aspect of your activities
  • If you are using a video/webcam feature, consider what else may be viewed by other attendees
    • Is there a white board behind you that lists current projects?
    • Could someone walk behind you, not knowing you were on a video chat, and put you in an awkward situation – during one video conference I participated in, an attendee’s significant other walked by in underwear…
  • Be careful when you send the invitation that your email did not “autofill” the address of attendees such that someone joined your call who has nothing to do with the project at hand – and may not be part of your organization
  • Do not take unrelated calls while on a video chat – even if you are on mute others can see you are not paying attention and you never know who can read lips
  • Make sure the resource you are using – whether Webex, Zoom or otherwise – is secure.
  • If multiple parties are on a call, and then you wish to speak to “your side,” do not stay on the same bridge.  Circulate a new dial in just for your team to ensure no persons from the “other side” stayed on to hear the ensuing strategy or evaluation discussion.

Note that the NJCCIC (New Jersey’s Cyber Communication Resource) advised that earlier this year researchers discovered a vulnerability in WebEx, Zoom and other online conferencing products.  APIs (or Application Programming Interfaces) were used to capture meeting IDs to access meetings and possibly maintain access for an extended period of time.  Cisco and Zoom issued an alert to its users as to security measures that users can take to secure their conferences.

As with any technology, video conferencing is a wonderful tool, but should be used wisely to ensure that only those you intend are able to participate, and see and hear only relevant information.

In the continuing void at the federal level, more and more states are being proactive in adopting legislation that seeks to protect US residents’ personal data, and to impose stricter guidelines on companies that experience a data breach.

Although Washington State did not pass its previously pending bill that would have been more stringent on data controllers and processors than the looming Consumer Privacy Act of California, Washington did adopt new terms for its breach notification statute.  Effective as of March 2020, a “breach” requiring notice will include unauthorized access, disclosure, alteration and/or compromise of biometric and/or health data (previously excluded from the definition of personal information). Further, the window in which the entity suffering a breach must give notice has been reduced from 45 days to 30 days.

Many states, including New Jersey, New York, Florida, and Texas, have either adopted or are considering proactive legislation that will require those controlling and/or processing personal data to take “reasonable” measures to protect that data while under that entity’s control.

Without a consistent definition of “personal information,” what constitutes a “breach,” and what are “reasonable” measures, it is challenging for businesses to prepare.  That said, businesses that fail to take “some” measure to protect data will likely find themselves subject to liability even without its jurisdiction having in place proactive legislation. As discussed in the Dittman case, a data breach is a “foreseeable risk” against which companies have a “common law duty” to protect personal data.

Resources are available to help companies to take steps toward being “reasonable” in collecting, receiving, storing, processing, sharing and destroying data.  Looking for those resources is the first step toward being a responsible data controller and processor.  In New Jersey, the NJCCIC offers insights weekly into the latest threats.  NIST has frameworks for small and midsize businesses, as well as for larger entities.  SANS has forms that serve as useful starting points for developing policies and procedures.  The process can be done, but it can no longer be ignored.

For guidance on how to begin, please contact our offices.

Wipro, one of the world’s largest outsourcing companies, has confirmed that it was the subject of a cyberattack and that its attackers used – and may be continuing to use – access to Wipro’s systems to launch phishing campaigns against the company’s customers.

The investigation is ongoing, but if you or your clients use Wipro, please be wary of any communications that appear to come from the company. Training for personnel is the first line of defense. If an email, text or other inquiry seems odd or an attachment was unexpected, pick up the phone to verify the source or request before responding or clicking on a link.

Be alert and be secure.

Cybersecurity and data privacy remain at the top of the corporate agenda, and it is critical that executives stay ahead of the curve with the latest best practices in order to effectively respond when – not if – an data incident occurs.

To that end, I am pleased to offer a Lorman Education Service’s webinar, “Data Security Breach Response,” which I co-presented alongside my friend and colleague, Brett Harris of Wilentz, Goldman & Spitzer.

The webinar covers a range of topics critical to legal counsel and corporate officers alike – including the legal and practical ramifications of a data breach; incident response and breach notification obligations under applicable laws; brand and reputation implications; strategies to create a sound security culture within your organization; and administrative, technical and physical security measures to help manage risk.

To access the webinar, please visit Lorman’s website.

The time for businesses to wait until they are breached to respond to data vulnerabilities is coming to an end.  While 50 states have breach notification statutes (reactive legislation), more than 25 states have now adopted some form of proactive legislation requiring companies to take “some” measures to protect the personally identifiable information they collect, store, process and share.  The New Jersey legislature is now considering three competing bills.  While it is yet to be seen which draft will finally land on Governor Murphy’s desk, it is reasonable to expect that by the end of this year, New Jersey businesses will, by law, have to adopt measures to securely collect, store, share and destroy sensitive data.  One focus of this growing wave of proactive legislation concerning protections of personally identifiable information is the collection and protection of biometric data.  “Biometric data” is personal data related to physical, physiological or behaviors of an individual which allows for the unique identification of that individual, such as a fingerprint, facial recognition, or retina scan.  Biometric data can provide efficiency, valuable customer insight and convenience to a business.  A business may use this data for its time clock or to limit access to restricted areas within a facility.  Entertainment venues use biometrics to speed along the customer experience, while collecting valuable data as to how and when customers use different areas of those venues. There is no question that the use of biometric data has commercial benefits for employers, consumers and data analysts.

But consider this:  when your credit card is stolen, you call the credit card company and a replacement card is mailed to you overnight.  Who do you call when your fingerprint, stored by your employer or an amusement park, is compromised by a data breach?

Illinois and Texas already have in place statutes that prohibit commercial entities from capturing an individual’s biometric identifier (e.g. a fingerprint) without the person’s consent.  Both states also require businesses to protect biometrics using “reasonable” measures, and at least the same care that a business uses to protect its own sensitive information.

Most recently, New York, Massachusetts and Florida are considering legislation similar to the Illinois Biometric Information Privacy Act (“BIPA”).

Why is all this so important?  It comes down to a question of transparency, foreseeability and standing.

Transparency:  One of the hallmarks of the Illinois and Texas statutes is that businesses cannot collect biometric data without a person’s consent.  This consent requirement is consistent with one of the cornerstones of the National Institute of Standards and Technology Framework:  transparency.  Does the consumer or employee know what is being gathered by a commercial enterprise, understand why it is being gathered and have an opportunity to consent or deny consent to that collection?  If the answer to any of these questions is no, even without a breach having occurred, a company may be liable.  And if the company has a website from which personally identifiable information is collected, and the site does not, with clarity, explain what the company collects, how they use the data, with what other entities they share the data, and a person’s rights regarding the data, the company may already be in violation of several states’ laws.

Foreseeability:  As the Pennsylvania Supreme Court ruled in Dittman v. UPMC, No. 43 WAP 2017, 2018 WL 6072199 (Pa. Nov. 21, 2018), data breaches are a foreseeable risk, and businesses have a common law duty to protect sensitive information from unauthorized access, theft, alteration or destruction from that foreseeable risk.  If a company is known to collect and store biometric data, that company is a likely target for bad actors seeking valuable biometric data.  As such, even in a jurisdiction without proactive legislation like Illinois, the company may be held liable if that data is stolen and the company failed to take measures to protect the data from the foreseeable attack.

Standing and damages:  Many cyber breach cases have failed due to the court finding a “lack of standing” – or that a matter is not “ripe” because the aggrieved party cannot demonstrate actual loss.  Just because your credit card was stolen, did you suffer harm?  Probably not:  the credit card company replaced the card at no charge to you, and backed out any fraudulent charges.

However, for the theft of irreplaceable biometric data, at least according to the Illinois Supreme Court, the analysis is different.  In an Opinion filed January 25, 2019, the Illinois Supreme Court held in Rosenbach v. Six Flags Entertainment Corp., 2019 IL 123186 (Jan 25, 2019), that an individual need not allege actual damages or an adverse effect, beyond violation of his or her rights under BIPA, in order to qualify as an “aggrieved” person to be entitled to seek relief under BIPA.  In this case, Rosenbach – a mother alleging injuries on behalf of her son – filed suit against Six Flags after learning that the defendant collected fingerprints from her son in order to process and maintain his season pass to the theme park.  No prior notification had been provided as to the specific purpose and length of term for which the fingerprints were being collected.  Further, the plaintiff asserted that failure of the defendant to obtain the plaintiff’s or her son’s consent violated BIPA.  Notwithstanding that no “actual” damages were shown, the Illinois Supreme Court’s holding reversed the Illinois state appellate court’s prior decision which held that it was insufficient for the plaintiff to confer standing to sue under BIPA without showing actual injury.

Existing and pending legislation, together with recent court rulings, have made it clear that companies need to be prepared for the inevitable attack on its data. Companies need to explain to “data subjects” what is being collected and why, they need to protect the data they gather, and they need to be ready to respond when an attack does occur. The message from state legislators, courts and customers is clear: prepare and protect now, or prepare to be held accountable.

From a cybersecurity and data protection perspective, traveling safely on business or pleasure is not an easy task.  But if you are mindful of what you do, and where you do it, you and your information can travel more securely.

Here are ten practical cybersecurity and data protection tips to keep in mind:

  1. Devices that you will be working on should be encrypted and up to date with security patches.  Even if your device is compromised (and this can happen any number of ways), the data stolen is unintelligible to anyone without the decryption key.
  2. While working on a plane, train or automobile, at the terminal or any other public venue using your laptop, use a privacy screen so the nosy traveler next to you, or walking down the center aisle, does not see your screen or your work.
  3. Consider traveling with your own cellphone charger or power bank.  The charging towers in some airports and terminals (particularly outside the US) have been found to have been tampered with so that when you plug in your device to charge, you are unwittingly sharing your data through malware installed in the charging tower!
  4. If you need to use the hotel or other third party computer to print out your boarding pass, (i) remember to log off the computer when you are done, (ii) do not ask to be remembered, and (iii) be mindful of who may be around you as you enter your credentials.
  5. If you are working at a hotel or third party location, do not assume that the Wi-Fi network you log into is the actual hotel network.  Hackers can easily spoof hotel Wi-Fi addresses to trick you into using their network – all the while, capturing your activities as you unsuspectingly work or shop online.  Best practice is to use your own hotspot.
  6. Confirm whether your company can remotely wipe your device – whether it is a laptop, phone or otherwise.  Then, if the device goes missing or is stolen, sensitive data can be wiped remotely. This obviously assumes that you have either memorized, or traveled with a hardcopy of, your office’s contact numbers to report lost devices as you will no longer have access to the stolen or misplaced device.
  7. Remember that devices used to print documents store images of those documents.  As such, before you have your office fax you documents or email information to a third party’s computer while you are traveling, be mindful that the third party printer or fax machine is retaining your data long after you are gone.  Better practice would be to read the document on your device or have your office overnight the materials, where possible.
  8. While traveling, if you are working on a printed, sensitive document (cover page reads, the “Merger of ABC into 123”), consider first printing a sanitized cover page, or replacing parties’ names with numbers in the document, so that your paper version does not reveal sensitive information to a third party.
  9. Do not check your bag with devices inside – whether as checked luggage, at the hotel or at the courtesy club for your airline.  You cannot assume that persons holding your items and/or having access to the holding area could not, or would not, access or steal your devices.
  10. Train your team to know that nothing is so critical that it cannot be confirmed by a phone call when you are traveling. There is not a wire transfer that must be made and there is not data that must be transmitted just as you are boarding a plane without first verifying with you by telephone.

Enjoy the trip and be smart so that someone else does not take you or your data for a ride.

On November 21, 2018, the Pennsylvania Supreme Court, the highest ranking state court in Pennsylvania, ruled that an employer had a common law duty to exercise reasonable care to protect employees’ personal data where, as a condition to employment, the employer (i) required employees to provide sensitive data, (ii) the employer chose to store such data, and (iii) the collection and storage of that information by the employer could foreseeably expose the employees to “unreasonable risk of harm”. Dittman v. UPMC, No. 43 WAP 2017, 2018 WL 6072199 (Pa. Nov. 21, 2018).

In a class action, the Court accepted the employees’ argument that this duty included the obligation to take “reasonable measures to protect” the data from “foreseeable risk that [hackers] would attempt to access and [comprise and/or steal] that information.” The court further accepted the employees’ position that the intervening criminal action by the hackers did “not eviscerate the duty …to take reasonable anticipatory measures against foreseeable criminal conduct…”

Note that the Court stopped short of defining what “reasonable” care would have been in this case, but the Court for purposes of this ruling accepted the employees’ statement that the employer failed to encrypt the data at issue, did not have appropriate firewalls or other “reasonable” measures.

It is critical for employers in any jurisdiction to take note of this ruling. Pennsylvania, like the majority of states in the US, does not currently have a statute requiring companies to affirmatively protect sensitive information. However, the Court here found that this duty exists in common law.

Moreover, it is reasonable to assume that the next retailer hit with a major credit card breach will be subject to similar claims and have potential liability where, customers, if paying by credit card, must provide personal payment information to the retailer, unless that retailer can prove it adopted “reasonable” measures to guard against the “foreseeable” risk that such data may be subject to compromise.

In light of the Pennsylvania court’s ruling and two recent decisions in the U.K. and North Carolina, companies are strongly urged to take action now – if they have not already – to undertake “reasonable” measures to (i) identify the sensitive data they collect and store, (ii) protect that data from foreseeable compromise – considering the type of data stored, and the company’s size and resources, (iii) be vigilant in monitoring its systems to detect compromises quickly, and (iv) have a written response plan for when, not if, an attack occurs.

And for those resisting cyber insurance and crime coverage, you may wish to reconsider in light of these rulings.

In the wake of GDPR and California’s new data privacy law, website privacy policies continue to be a hot topic for the business community.

These pieces of legislation, the FTC Act, and various other sectoral and state laws and regulations set forth a myriad of complex rules and guidelines for website privacy policies.  At a minimum:

  • Privacy policies should clearly and concisely state:
    • What information is being collected when a person visits your site
    • Who else may have access to that information
    • Site visitors’ options – to opt in or opt out – without complicated or costly means to do so
    • How you will communicate with your customers/site visitors if their data is compromised (if you wish to avoid more costly or public means of breach notification that may be mandated by certain jurisdictions)
    • Whether you are tracking site users’ locations (and with California and EU site visitors, this cannot be done without clear disclosures and consent)
    • How cookies are being used
    • How long is information retained
  • They should not be materially misleading.
  • Consent:  If you are, or think you might be, subject to GDPR and/or if you are inviting or expect site visitors from California, your website should take the “opt-in” approach (without pre-checked boxes to receive future correspondence or advertisements)
    • “Consent” under GDPR for direct consumer marketing must be freely given, specific, informed, and unambiguous.
      • Site visitors should not be penalized if they choose not to consent.
    • Your customer must know to what they are consenting, and you cannot repurpose consent given for one activity for another, unrelated activity.
  • Your website should include mechanisms to allow a data subject to request (i) confirmation and/or correction of information you have about that person, (ii) that you remove (the right of “erasure”) that person’s data from your systems, and (iii) that you transfer their information to a third party
  • If your website processes payment transactions, it must be PCI compliant.
    • If the website uses a third-party payment processor, this should be clearly stated on the website and you should review your contract with that processor as to indemnification, notice obligations and liability disclaimers or limits if the processor experiences a breach.

In addition to the issues highlighted above, there are many other cyber and data protection-related considerations associated with websites and the disclosures in privacy policies.

Regardless of whether you are subject to GDPR, if your stated privacy policy, terms and/or conditions are misleading and/or deceptive, you will be inviting federal and state claims of deceptive and/or unfair trade practices.

However, there are other issues that many companies either ignore or neglect, including:

  • Reviewing advertising insurance coverage
    • Even if you have general commercial liability insurance that includes advertising coverage, it may NOT include coverage for your digital advertising. If you do not know the answer to this, we urge you to ask your broker!
  • Assessing whether the website is ADA compliant
    • Circuit courts around the country are split on their application of Title III of the Americans with Disabilities Act (“ADA”) to websites. However, many courts are taking the position that because websites are “places of public accommodation,” they are indeed subject to the ADA.
  • Clear and complete disclosure of warranty terms
    • It is worth noting that different laws apply if you are a manufacturer or a retailer.
    • In New Jersey, retailers must comply with the state’s Truth-in-Consumer Contract, Warranty, and Notice Act.
  • Disclosure of pricing, shipping, handling and return mechanisms, requirements and limitations
  • Review of general website terms and conditions
    • Do they protect your intellectual property?
    • Do they disclose third-party links?
    • Do they address the intended or unintended collection of information about minors?
    • Do they clearly state dispute resolution mechanisms?

For any business – but particularly for a business new to the internet or e-commerce – it is easy to purchase a website “kit” without giving the necessary thought to these and other considerations. If you are just establishing an online presence, do not just “cut, paste and go.” And if your business operates an already-established website, the stated terms, conditions, privacy policy, and notices should be reviewed at least annually.

A website is a wonderful way to promote and expand your brand – provided it is appropriately established, maintained and protected.

One of the most common misconceptions surrounding cybersecurity and data protection measures is that they are too expensive to deploy and maintain – so much so that they become prohibitive for small and middle market businesses. Another one I hear often is that the implementation process can seem daunting for business owners who may be unsure about where exactly to begin.

While top-of-the-line cybersecurity programs and managed IT service packages can certainly be expensive and complex to deploy, there are several, low or no cost measures that are worth considering. An ounce of prevention, even on a limited budget, can go a long way.

1. Password protocols and two factor authentication

  • Passwords should be (at least) 10 characters
  • Changed quarterly
  • Kept in a secure location
  • Change default passwords
  • Two factor authentication can be established with minimal (or no) cost

2. Patch early, patch often: All computers and other devices should be updated regularly

3. Bank online through one, isolated computer that is not used for any other purpose, and which is not connected to the business’ local area network

4. Train your personnel on cyber mindfulness

  • More than one-third of ransomware attacks are launched via a phishing email
  • Verify from a known source – pick up the telephone!
  • If you see something, say something…

5. Least rights – for small organizations, everyone wears multiple hats… but for sensitive information, minimize who has access to the crown jewels

6. Back up your data

7. Encrypt your data

8. Secure your physical environment

9. Due diligence: read your contracts, your privacy policies and understand your legal obligations

10. Have a plan!

  • The day you discover you have had an incident is not the day to figure out “now what”?
  • PTA calling tree
  • Do NOT store the plan on the computer!

If you’d like to keep these tips at hand, they are available for download here. Be smart and be safe!